Tuesday, February 12, 2013

FreeNAS, CIFS, and user login problems


I have been in the process of converting from the dead-end Windows Home Server product to a FreeNAS server for my home NAS.  I was trying to replicate the same sort of set up that WHS had for user directories.  In WHS, there was a share called "Users" and under that share there were various user directories corresponding to each user account.  I thought it would be pretty simple to replicate that same behavior to allow users to simply attach to \\nas-server-name\Users in Windows, and then navigate to their own user folder.  What follows is how I achieved this, as well as a problem I fought with for a while that prevented certain users from connecting via CIFS.

First, I started off the process by installing FreeNAS to a USB stick, added a few disks in the server, plugged in the USB stick and booted up.  I performed basic config for the networking, and admin account passwords, and turned on the CIFS service.

Next, I created a some user accounts for my wife and myself, and then one for my son.  The primary group for each of these accounts was the same as the user name.  Also, I made sure to create these accounts with the same username as the username each person uses on their computer to login.  This will just help simplify things later on when they go to attach to the shares.  I then created a group called "parents" for my wife and myself, and then created a group called "users" that everyone was part of.

I then created a ZFS RAID-Z set with all the disks I had added to the server.  I then created a ZFS volume called "main" which was the root of my RAID-Z set and set the owner to "nobody" and group to "parents" with read, write, and execute permissions for the owner and group.  I then proceeded to create ZFS datasets underneath the main ZFS volume for each of my share points.  I did this because this would allow me to set size limits on each share type to control disk usage.  For each dataset that I only wanted my wife and I to access, I set the owner to "nobody", and the group to "parents".  For the Users share, though, I set the group to "users".  I also created additional datasets under "Users" for each user to be able to set per user directory quotas, setting the owner to the user for that dataset, and the group to "parents" for all of them.
The "main" volume, and the ZFS datasets below that volume
At this point, I logged in with my user account, and my wife's user account and everything seemed to be working great.  The problem was, I couldn't connect to any share with my son's account!  The problem had to do with the permissions I had set on the "main" volume.  I had set the owner to "nobody" and group to "parents", and I had read, write and execute for the owner and group, but no permissions for other.  This sort of configuration would only allow members of the "parents" group to traverse this directory, which means that my son who was only part of the "users" group couldn't get down to his own share because this top level directory was preventing him from doing so.

The "incorrect" permissions on the main volume.
The reason for this is that *nix file system permissions on directories can be used to control if you can "traverse" a directory or not by setting the "execute" bit on that directory.  Because I didn't allow everyone (or at least a group that my son was part of) to traverse through the main volume, only my wife and I could traverse because we were part of the "parents" group and had the execute permission.

Once I changed the permissions on the "main" volume to allow "Other" to Read and Execute, my son was able to login, and could only go down to his own user directory to work with his files.  My wife and I could see and manipulate everything on the NAS, which is exactly what I was striving for.

5 comments:

Griggs Nichols said...

Great post! Thanks! I'm curious to know how you handled permissions and access on your other directories (Music, Videos, Photos, & Public). Thanks!

Chris DeLashmutt said...

For the other directories, I made the "nobody" user the owner, and then the "parents" group the group owner. Then I set Read, Write and Execute for the Owner and Group, but didn't check any of the boxes for "Other". I just wanted my son to have access to his own directory, for now.

In the future I may tweak this slightly, so that I'll allow "Other" to Read and Execute on most of the "non-sensitive" shares. That way, my son could access Music, and Movies, but couldn't accidentally delete them.

Unknown said...

I noticed using your tip to set permissions at the root level data set, to enable "Other" to only execute; without read access. This still allows users with limited access to down-steam or nested data sets, to login without having read access to the root level dataset. Which is something I have been trying to figure out to protect certain data from unauthorized access by other users.

Thanks for posting this! I have been hoping to avoid going bald trying while to figure out why I had so many issues setting up permissions with limited access. dii

Matthew Searle said...

You, sir, are a star.

It's taken me 3 1/2 hours and multiple attempts to get to the stage where I have a set of folders I can get to, and a limited set of folders my kids can get to.

Many, many thanks.

vedviveka said...

Can your son browse your diretories?
I am struggling since last two days to achieve this..we are five users..I want one or two users to see and access all the five peoples data but restrict remaining three to only access their own home directory or three users directory i.e. first two users should be invisible to remaining three..Can you guide me how to do it..